You’ve probably never heard of Acxiom, but it knows a lot about you. The marketing company has a rich database of information about more than 700 million individuals, and claims to cover 90 per cent of UK households. Acxiom knows about people’s income and marital status. It claims to be able to tell advertisers what someone’s interests are, what supermarket they go to, and whether their boiler needs replacing.

The firm is not the only one to know almost everything about you from and they're now being scrutinised under the General Data Protection Regulation GDPR.

Advertisement

“The data broker and ad-tech industries are premised on exploiting people's data," says Ailidh Callander, legal officer at Privacy International, a charity that defends and promotes the right to privacy. "Most people have likely never heard of these companies, and yet they are amassing as much data about us as they can and building intricate profiles about our lives.”

Privacy International has filed complaints to the Information Commissioner’s Office in the UK and its equivalents in Ireland and France against seven such firms – data brokers Acxiom and Oracle, credit reference agencies Experian and Equifax, and ad-tech companies Quantcast, Tapad and Criteo. The companies largely deny information contained in the complaints.

Read next

This is how age verification will work under the UK's porn law

ByMatt Burgess

Privacy International used publicly available marketing documents from the companies, combined with more than 50 subject access requests for information, to build a picture of exactly how they are using our data. In its complaints to the ICO, Privacy International argues that these companies are breaking the both the general principles and the laws that came into force in March as part GDPR.

“Attention is focussed on Facebook and Google, but these are companies that we have a direct relationship with,” says Callander. She says the seven companies named in the complaints are illustrative of a wide range of less visible companies profiting from our personal information – primarily through targeted advertising, but also in potentially more serious ways too.

Advertisement

Madhumita Venkataramanan: My identity for sale

“It’s this web of data-sharing,” says Callander. “They’re adamant that they don’t know you – they go on about how they only collect pseudonymised data – but their whole business model is based on the fact that they do know you.”

Privacy International argues that these companies do not comply with the data protection principles set out by GDPR. These require data use to be transparent, fair, lawful and accurate. Data should only be used for the purpose it was collected for, and only the minimum amount should be kept on file. “You should be specific about what you’re doing with people’s data,” says Callander. “They’re not. They just provide these grand statements, about how it’s in their business interests to provide advertising and profit without going into the detail.”

Read next

Mark Zuckerberg says Facebook is pivoting to privacy. Here's what he really means

ByMatt Burgess

A key factor is people’s reasonable expectations. We might expect the credit-ratings agency Equifax to use our personal data to calculate our credit score, for example. However, a lot of people will be unaware that companies like Equifax and Experian also have marketing wings, and use data to assign people into categories which they can provide to advertisers.

Advertisement

Acxiom, for example, fits individuals into neat – although not always accurate – categories such as ‘Salt of Society’ (Married couples, who read popular press and shop at Morrisons) or ‘Urban Melting Pot’ (Live in flatshares, shop at Asda, M&S or Tesco and read The Guardian). These companies also work with the public sector.

Experian is used by a number of police forces to assess whether individuals are suitable for a rehabilitation programme, while the role of data brokers in political campaigning was the subject of an ICO report released on Tuesday. At the same time, the ICO – which has the potential to levy massive fines under GDPR – announced that it had issued assessment notices to Experian, Equifax and Acxiom.

“We are aware of concerns raised about the compliance of data protection laws by big tech companies, data brokers and credit referencing agencies,” says an ICO spokesperson. “These concerns have been raised with regulators in different EU countries and the ICO will be working with the relevant data protection authorities, and the new European Data Protection Board, to consider the facts and support any possible joint work or inquiries in other jurisdictions.”

What is GDPR? The summary guide to GDPR compliance in the UK

Read next

I tried to keep my unborn child secret from Facebook and Google

ByJames Temperton

An Experian spokesperson says the company has “worked hard to ensure we are compliant with GDPR,” while Criteo says it has “complete confidence” in its privacy practices. Acxiom says it takes data privacy “very seriously,” and that its UK business passed an audit by the Direct Marketing association in May 2017. Equifax, Quantcast and Oracle declined to comment.

Privacy International is calling on the ICO to carry out a widespread review of the practices of data brokers, credit reference agencies and ad-tech companies, although Callander believes it’s a matter of enforcing the recent GDPR regulations rather than changing them. “The burden is on the companies to seriously look at what they do and look at the law and people’s rights and come up with a better solution,” she says. “What they seem to have done is slightly amend their privacy policies.”

“We consider these companies' practices are failing to meet the standard - yet we've only been able to scratch the surface with regard to their data exploitation practices,” she continues. “GDPR gives regulators teeth and now is the time to use them to hold these companies to account.”